When it comes to passwords, individual habits and organizational policies vary widely—unfortunately, the pattern is one of weakness. But organizational online security can be immediately improved by the implementation of a few key principles.
Stronger passwords mean that users are keeping themselves safer online—and if users are safer online, it results in your organization staying safer as well. Updated NIST guidelines revealed that some practices once considered foundational are rather outdated, so here are the new Do’s and Don’ts for password policies.
- Make a Long Password
As both computing and hacking advance, the amount of time it takes to guess a set of credentials has dramatically decreased. The length of a password is still, character for character, more important for security than complexity. A strong password needs a minimum of 10 characters, but we recommend more. The longer the password, the more difficult, (mathematically) it becomes to crack.
- Use a Password Lockout Policy
One of the easiest and most effective methods in preventing brute-force hacking is employing a password lockout policy. In this technique, the system locks the user out of their account after too many (typically three) incorrect login attempts. The user is then prevented from logging in for a pre-set period of time, or until the system administrator unlocks the account. Since brute force attacks rely on high-volume guessing of commonly used words, a lockout policy efficiently thwarts this type of attack.
- Blacklist Compromised Passwords
This NIST guideline suggests the keeping and referencing of blacklists of previously leaked/breached passwords and applying patterns from cracking dictionaries. If these lists can be referenced while a user tries to create a password, they can be alerted that their desired password has already been compromised, and be barred from using it. The key is making sure that the lists of compromised data are constantly updated. We update our databases of compromised credentials all day, every day, and provide an Active Directory plugin to make the process of checking passwords against blacklists both painless and secure.
- Don’t Repeat Yourself
It’s more common than anyone would like to admit that people merely alter a single letter, or add a single number, when required to change a password. Humans are predictable and often hackers are able to spot patterns of change, which rapidly expands their attack dictionary. Password Similarity Blocking (blocking those new passwords that are too similar to the old ones) leads to better security because it discourages users from falling into the habit of making a password that’s just different enough to cut it as a new password. Repetitious variations on passwords actually mean the data remains virtually unchanged (just harder to remember!) for the user, and just as easy for bad actors to guess.
- Don’t Rely on Composition
Common but now outdated password policies often include requirements for users to incorporate a certain combination of alphanumeric (a-z, 0-9) and special ($,!,&) characters in their passwords. But research has shown that composition rules often have the opposite effect: frustrated users avoid or try to shortcut the rules by making predictable changes, like shifting their password from ‘lastname’ to ‘Lastname1’. If the user is using slight variations of the same password across many platforms and accounts, it’s nigh on impossible to remember which slightly-different password goes with which account. To make a long story short: it’s much more effective to use a password that’s a random combination of unrelated words all in lowercase (for example: correcthorsebatterystaple) than it is to use a complicated variation on a common password (for example: P@ssword123!).
- Don’t Rely on Password Aging
While encouraging or requiring users to update their passwords after a set timeframe can theoretically increase online security, it’s not always effective in practice. System administrators can establish any sort of time frame, and often assume that the more frequently (say, every three months) their users have to change passwords, the safer the organization is. But attacks occur all the time, so passwords (especially if only altered by a single character!) do not age well, and if a breach occurs on, for example, day one of a three month period, the system’s periodic change is useless. Time is of the essence; the readiness is all.
In addition to this, research has found a similar situation with password expiration policies. Requiring users to change their passwords too frequently discouraged them from making an effort to think of a unique password. Instead they made simple, predictable changes — and bad actors quickly learned those patterns.
Believe it or not, there are many vulnerable users who have never considered the issue of security breaches, and are still choosing the same single dictionary word passwords for all their accounts (from banking to grocery delivery), cross-device. Breaches occur every day and night, and the only way for organizations to ensure they, and their users, are safe is to engage with this reality. The easiest way to take action and assure your organization’s security is to find resources that prevent users from using already breached passwords by referring to a constantly-updated blacklist.
It’s time to rethink password policy. It turns out that the old composition guidelines made passwords harder for users to remember, and easier for computers to guess. Enzoic is built along the new NIST standards and guidelines, which can help improve user experience by eliminating password complexity rules and reducing frequent password resets—all while improving security for the entire system.
By: Bronwen Hudson